http://ift.tt/1Nvh080 Big Whale said: "Tested on Google Chrome 43.0.2357.130 (64-bit) (Linux) and it works" "clearly URL spoofing" Thanks for testing! http://ift.tt/1GYsXS0 0pc0deFR said: "Work on Google Chrome Ubuntu" Bonjour, thanks for testing! http://ift.tt/1T18S30 Daniel Micay said: "It does display a window with the oracle.com address" "why you've got an ever increasing number of setTimeout events" http://ift.tt/1C43XKn Alexander E. Patrakov said: "Looks like a fork bomb" Thanks for testing! The number of "setTimeout" does NOT need to be increasing forever. OK, I admit - we are lazy(it works and we don't touch it anymore) :-) http://ift.tt/1R3EqYq Roney Gomes said: "it worked on the desktop version of Opera" Wow! Thanks for letting us know. Here is the screenshot of Opera http://ift.tt/1LVTVLp And Chrome http://ift.tt/1IuiaRS (A number is displayed in Chrome's address bar, not the same as Opera) http://ift.tt/1GWNdDM Daniel Micay said: "it can't always be replicated" "I've tried it a few times and" "it fails about as often as it works" http://ift.tt/1R3EozR Valentinas Bakaitis said: "PoC did not work" Hey! The trick here is timing: Please modify those numbers in code - make them smaller. http://ift.tt/1BXeEhG Zak Siddiqui said: "Is it reproducible with HTTPS?" Yes, we just tried this URL http://ift.tt/16kwqqf It works. In fact, it works BETTER against HTTPS, because HTTPS is slower, so timing is easier. http://ift.tt/1T18PEb Florian Weimer said: "they show the new URL while still displaying old content" Exactly, that's the cause of this bug. In the end, allow me to repeat: No user interaction on the fake page. But, anyone can do "BBB Accredited Business" "PayPal Partner" etc. Kind Regards, PS We love clever tricks. We love this: http://dieyu.org/ On 2015/6/30 7:08, David Leo wrote: > Impact: > The "click to verify" thing is completely broken... > Anyone can be "BBB Accredited Business" etc. > You can make whitehouse.gov display "We love Islamic State" :-) > > Note: > No user interaction on the fake page. > > Code: > ***** index.html > > Go
> ***** content.html > This web page is NOT oracle.com > > ***** It's online > http://ift.tt/1R2ihK7 > (The page says "June/16/2015" - it works as we tested today) > > Request For Comment: > We reported this to Google. > They reproduced, and say > It's DoS which doesn't matter. > We think it's very strange, > since the browser does not crash(not DoS), > and the threat is obvious. > What's your opinion? > > Kind Regards, > > PS > We love clever tricks. > We love this: > http://dieyu.org/
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment